Are Cyber Criminals Using Plus-Sized Malware To Fool AV?

Obesity is an epidemic in the United States. And it looks as if it may soon be a problem in malware circles, as well.

After years watching malware authors pack their poison into smaller and smaller packages, one forum frequented by those seeking help with virus infections says that they’re seeing just the opposite: simple malware wrapped within obscenely large executables – in one case, over 200 megabytes.

This malware dropper weighed in at over 200 MB – possibly an effort to stymie AV clients

A post on the French-language web site Malekal.com on Thursday described what may be a nascent trend towards ‘plus size’ malware executables. In at least two cases in recent days, the forum has seen evidence of Trojan Dropper programs that deposit very large files – between 16 megabytes and 200 megabytes – on infected systems.

In one case, the author discovered an exploit kit that deposited a very large file – around 16 megabytes- on infected systems. In a separate incident, he came across two large malware samples in an online forum on Malekal.com frequented by users looking for help with malware removal.

The extra girth isn’t about added functionality, according to the post. The 205 megabyte executable that was dropped would have zipped down to just 205K – a much more efficient file to transport to an infected system.

So why go large? The current theory is that larger executables frustrate the realtime detection capabilities of modern AV clients. Pretty much every modern antivirus agent programmed to grab new, suspicious files and send them up to cloud based servers that will generate a new signature for the malware. Files might be transported whole-cloth, or hashed and transported. Alternatively, IT staff may submit suspicious files by e-mail to their antivirus provider’s lab.

But many of these features were designed with the assumption that executables will be of modest size – at best. Hashes of massive executables in the tens or hundreds of megabytes could bog down cloud based servers, or get automatically dropped by the vendor’s e-mail server, preventing quick detection.

It’s a theory – but just a theory. What is known is that the malware in question connects back to a command and control server in China that pushes a variety of other malware to the infected host, including “Trojan Clickers” that are used to inflate traffic to web sites – generating referral income for the fraudsters or companies they control.

While malware authors have historically adopted various techniques to shrink their creations down to the smallest possible package – the better to evade detection. Many malware infections today are multi-stage affairs, starting with exploits of vulnerability in common software components, and followed by downloader programs that pull down additional malware components.

However, recent incidents have shown that even large malware packages can lie undetected. The Flame malware, for example, weighed in at over 20 megabytes and supported 20 separate plug-ins as well as different libraries and databases.